# Finite Key Size Analysis of Two-Way Quantum Cryptography

^{1}

^{2}

^{3}

^{*}

## Abstract

**:**

## 1. Introduction

## 2. Two-Way Protocols

_{x}, σ

_{y}, σ

_{z}}. She would subsequently submit the qubit back to Bob for measurements. Alternatively, she could measure the received qubit in the Z basis and prepare another in the X basis to be sent to Bob. The former process, done with probability c ≈ 1, corresponds to her actions in EM, while the latter, done with probability 1 − c, corresponds to CM. Despite the use of 4 unitaries imply a larger alphabet used, particularly elements of ℤ

_{4}0, 1, 2, 3 mapped to I, σ

_{x}, σ

_{y}, σ

_{z}respectively as opposed to bits for encoding, Alice could in fact assign logical bits (in pairs) 00, 10, 11 and 01 to the unitaries. However the mapping $f:\mathbb{Z}\to {\mathbb{Z}}_{2}^{2}$ to bits should be done only at the end of the protocol to avoid any possibility of Eve capitalizing on the correlation of bits given any pair [12].

^{+}〉, |ψ

^{−}〉, |ϕ

^{+}〉 and |ϕ

^{−}〉 respectively, these instances referred to as EM provide for sharing of a raw key between Alice and Bob. Again, it is possible for Bob to use bits instead when Alice submits the mapping information to Bob at the end of the protocol runs. The instances when Alice’s and Bob’s measurements in the Z and X bases coincides would allow for a meaningful CM. Hence a successful EM happens only with probability c

^{2}and CM happens with probability (1 − c)

^{2}. A schematic diagram for SDC is illustrated in Figure 1 below.

_{X}and p

_{Z}respectively to be sent to Alice for her encoding. In the original LM05 protocol, apart from p

_{X}= p

_{Z}, only two unitary transformations were considered, namely the passive I and iσ

_{y}. In [5], a generalization was made to include another two unitary transformation, namely the σ

_{x}and σ

_{z}, and the possibility of having different probabilities p

_{X}and p

_{Z}. In this protocol, upon executing her unitary transformation, Alice would resubmit the qubit to Bob who would measure in the same basis he prepared in. Defining the eigenstates of σ

_{z}and σ

_{x}as |z±〉 and |x±〉 respectively, bit values 0 may be assigned to the states |z+〉 or |x+〉 and 1 to the states |z−〉 or |x−〉. Bob then adds (modulo 2) the bit value corresponding to his prepared state (prior sending to Alice) to the bit value corresponding to his measurement result of the state (after Alice’s encoding). We will mention shortly what Alice needs to do in order to share bit-wise information with Bob. This run of the protocol corresponds to an EM.

_{0}= {I, iσ

_{y}} and S

_{1}= {σ

_{x}, σ

_{z}} was the transformation she had used and only the first bit of the bit pair for each transformation is used. This revelation is necessary given Bob’s measurement in the X basis would give him an erroneous bit when Alice uses S

_{1}. In these cases, Bob would need to flip his bit.

#### 2.1. Purifications of Two-Way Protocols

_{ABE}is a state in the Hilbert space $\mathscr{H}$

_{A}⨂ $\mathscr{H}$

_{B}⨂ $\mathscr{H}$

_{E}(Alice’s, Bob’s and Eve’s respectively) and $\mathscr{H}$

_{A}and $\mathscr{H}$

_{B}are Hilbert spaces for two qubit systems each. Alice’s measurement ${M}_{A}^{\mathrm{EM}}$, in EM which acts on a two qubit system must be in such a way that it is equivalent to her encoding operation in the protocols. If we recall how in both protocols, Alice receives a state from Bob and resends after a unitary encoding on the state, ${M}_{A}^{\mathrm{EM}}$ can be understood as a (POVM) acting on the received state with half of some entangled state so as the other half of the entangled state (after the measurement ${M}_{A}^{\mathrm{EM}}$) is the same as the output from Alice’s encoding to be sent to Bob [14]. Thus we can imagine ρ

_{ABE}as that pure state which distributes a pair of qubits to Alice and Bob each. Alice’s measurement on the two received qubits, tr

_{BE}(ρ

_{ABE}) would ensure that Bob’s measurement, ${M}_{B}^{\mathrm{EM}}$ on his received pair, tr

_{AE}(ρ

_{ABE}) is equivalent to Alice making a unitary transformation on Bob’s prepared qubit for his subsequent decoding measurement. With regards to Bob’s measurements, ${M}_{B}^{\mathrm{EM}}$, it is instructive to note that in SDC, ${M}_{B}^{\mathrm{EM}}$ is really the Bell measurement for decoding purposes while in LM05, Bob’s measurement on the first half of tr

_{AE}(ρ

_{ABE}) effectively prepares the qubit state sent to Alice (in the forward path) while his other measurement is on the other half of tr

_{AE}(ρ

_{ABE}). The measurements ${M}_{A}^{\mathrm{CM}}$ and ${M}_{B}^{\mathrm{CM}}$ would then correspond to relevant local measurements of each qubit in the qubit pairs in CM (detailed in the ensuing section). Given these, the main ingredient in the security proof for the purified protocols is based on bounding Eve’s information gain given Bob-Alice’s using an uncertainty relation which measures the overlap of Bob’s (Alice’s) measurements, i.e., ${M}_{B}^{\mathrm{EM}}$, ${M}_{B}^{\mathrm{CM}}$ ( ${M}_{A}^{\mathrm{EM}}$, ${M}_{A}^{\mathrm{CM}}$) in a reverse (direct) reconciliation scenario.

#### 2.2. Measurements and Entropic Uncertainty Relations

_{z}⨂ σ

_{x}where the overlap between the POVM elements as defined in Equation (3) is 1/4. This maximal overlap is achieved when considering the overlap between the POVM elements in EM and that of in CM. If we let the measurements by Alice and Bob to result in the strings ${S}_{A}^{\mathrm{EM}}$ and ${S}_{B}^{\mathrm{EM}}$ respectively from EM and ${S}_{A}^{\mathrm{CM}}$ and ${S}_{B}^{\mathrm{CM}}$ respectively from CM, and Eve’s system as E we can bound Eve’s information based on Equation (2) as

_{SDC}, is given by the Devetak-Winter rate [19]

_{4}is the 4-ary Shannon entropy and ${\overline{q}}_{\mathrm{CM}}$ and ${\overline{q}}_{\mathrm{EM}}$ are errors in Alice’s and Bob’s strings in CM and EM respectively, applying the bound of Equation (4) we arrive at

_{LM}

_{05}can be easily shown to be

_{2}is the binary Shannon entropy and q

_{CM}and q

_{EM}are the errors in the CM and EM respectively.

#### 2.3. Smooth Entropies and Finite Keys

_{BE}on B and E, the entropy of B given E is defined as

_{E}in E and I

_{B}is the identity on B. The ϵ-smooth min-entropy for ϵ ≥ 0 is then defined as

_{BE}not exceeding ϵ. The smooth max-entropy is defined as the dual of the smooth min-entropy with regards to any purification of ρ

_{BE}.

_{ABE}and POVMs $\mathbb{X}$ and ℤ respectively on B (resulting in bit strings X and Z), from [20], the smooth min-entropy of X conditioned on E, ${H}_{min}^{\u03f5}(X|E)$, gives the number of bits contained in X that are ϵ-close [22] to a uniform distribution and independent of E. The smooth max-entropy of Z conditioned on A, ${H}_{max}^{\u03f5}(Z|A)$, gives the number of bits needed to reconstruct Z from A up to a probability of failure ϵ and the generalized uncertainty relation involving smooth entropies is given as [20]

_{z}⨂ σ

_{x}in SDC and ${\mathcal{Z}}_{\mathcal{C}}$ and ${\mathcal{X}}_{\mathcal{C}}$ in LM05 happens only in CM, one can see the protocol as analogous to the asymmetrical prepare and measure protocol of BB84 where the measurements in EM is seen as measurements in the preferred basis in the asymmetrical BB84. In the case for the latter, in [9], where measurements are made in the X and Z, a gedankenexperiment was considered where all measurements were done in the Z basis to establish an uncertainty relation. Following [9], in the case for the LM05, we can use the bits derived in the CM to provide for an estimation of the errors in the application of the uncertainty relation using a similar gedankenexperiment where all rounds are CM; and since Bob can choose to measure for EM, security follows from the notion that the better Alice could estimate Bob’s bits in CM, the worse would Eve’s estimation of Bob’s bits in EM.

## 3. Efficiency and Secure Key Rates

_{1}and e

_{2}in the forward and backward paths respectively, we say the channels are independent provided the errors in EM is given by e

_{m}= e

_{1}(1 − e

_{2}) + e

_{2}(1 − e

_{1}). Otherwise they are correlated [24]. While the case for independent channels are unique by definition, the cases for correlated channels can be infinitely many. However, we shall only consider, as in [5] correlated channels where e

_{1}= e

_{2}= e

_{m}.

_{2}(Q + μ(n, k)) where

_{S}> 0 is a security parameter as defined in [9].

#### 3.1. Finite Key Analysis for SDC

^{2}/4). The number of bits required to reconstruct ${S}_{B}^{\mathrm{CM}}$ from ${S}_{A}^{\mathrm{CM}}$ (as two n bit length strings) up to a probability of failure ϵ,

#### 3.2. Finite Key Analysis for LM05

_{Z}> p

_{X}) and Alice either encodes with anyone of her transformations with probability c/4 or make measurements in the X bases only with probability 1 − c. Furthermore, the deliberations ensue would be focused on the RR scenario. Alice’s and Bob’s choice of measuring 2M(n; k) qubit pairs in the basis X with probability 1 − c results in ${n}_{e}=n+\sqrt{nk}$ number of bits derived from EM and k for CM. Hence $\sqrt{nk}$ pairs would be wasted due to bases mismatch when Alice measures in X while Bob chooses Z (notice that $2\sqrt{nk}$ qubits are wasted in [9] for similar reasons).

_{f}as the error rate in EM, noting ${H}_{max}^{\u03f5}({s}_{B}^{\mathrm{EM}}|{s}_{A}^{\mathrm{EM}})\le {n}_{e}{h}_{2}({Q}_{f})$ and following Equations (14), (20) and (21), the key length after error correction and privacy amplification is given by

## 4. Numerical Results and Comparisons

_{S}, for which we set as 10

^{−10}. Then, for a given value for errors in the CM (errors in EM is then immediately defined), setting the number for M(n, k), we determine the value k which achieves the maximal value for secure key length. As M(n, k) approaches infinite for n → ∞, following [9] we could let $k<\mathcal{K}\sqrt{n}$ for some fixed $\mathcal{K}$, so that

#### 4.1. Independent Channels

^{2})/4 respectively [5].

_{2}[2q/2(1 − q/2)], SDC’s h

_{4}[(2q − q

^{2})/4]/2 while for BB84, it is simply h

_{2}(q/2) where

^{4}. In the same figure we see instances when the errors are big enough and outweighs the contribution from $\sqrt{nk}$, LM05 performs poorly compared to BB84. The error correction term for SDC is only very slightly better than that of LM05 in the infinite key regime, explaining why it still does not exceed LM05’s $\sqrt{nk}$ advantage in the finite key scenario here. Thus LM05 exceeds BB84 up to an error rate of about 2.7%. However, in Figure 4 where the number of qubits used, M(n, k) = 10

^{7}, LM05 exceeds BB84 only up to about 1% and SDC’s up to 3.8%. The plot of the protocols’ efficiency against M(n, k) for the error of 0.01 in Figure 5 exhibits the convergence of the efficiencies as the number of qubits used increases up to 10

^{7}. These results clearly emphasizes LM05’s determinism over the asymmetric BB84’s. It is worth recalling the fact that while LM05 claims deterministic status in terms of the absence for bases mismatch in EM, BB84 only approximates this (in the infinite key regime). Figure 6 exhibits the case for the three protocols in the infinite key regime.

## 5. Conclusions

^{4}) as well as lower depolarization of channels, we observe an obvious advantage in LM05 due to having more bits for raw key purpose (derived from EM). This results from LM05’s encoding/decoding process which is independent of Bob’s choice of bases for measurement processes; which is in fact the ‘deterministic’ merit claim of the protocol. This advantage does however diminish in the region of asymptotically long keys when compared to BB84 (as well as the SDC).

## Acknowledgments

## Author Contributions

## Conflicts of Interest

## References and Notes

- Lucamarini, M.; Mancini, S. Quantum key distribution using a two-way quantum channel. Theor. Comput. Sci.
**2014**, 560, 46–61. [Google Scholar] - Gisin, N.; Ribordy, G.; Tittel, W.; Zbinden, H. Quantum cryptography. Rev. Mod. Phys.
**2002**, 74, 145–195. [Google Scholar] - Boström, K.; Felbinger, T. Deterministic Secure Direct Communication Using Entanglement. Phys. Rev. Lett.
**2002**, 89, 187902. [Google Scholar] - Lu, H.; Fung, C.-H.F.; Ma, X.; Cai, Q.-Y. Unconditional security proof of a deterministic quantum key distribution with a two-way quantum channel. Phys. Rev. A
**2011**, 84, 042344. [Google Scholar] - Beaudry, N.J.; Lucamarini, M.; Mancini, S.; Renner, R. Security of two-way quantum key distribution. Phys. Rev. A
**2013**, 88, 062302. [Google Scholar] - Lucamarini, M.; Mancini, S. Secure Deterministic Communication without Entanglement. Phys. Rev. Lett.
**2005**, 94, 140501. [Google Scholar] - Hayashi, M. Practical evaluation of security for quantum key distribution. Phys. Rev. A
**2006**, 74, 022307. [Google Scholar] - Scarani, V.; Renner, R. Quantum Cryptography with Finite Resources: Unconditional Security Bound for Discrete-Variable Protocols with One-Way Postprocessing. Phys. Rev. Lett.
**2008**, 100, 200501. [Google Scholar] - Tomamichel, M.; Lim, C.C.W.; Gisin, N.; Renner, R. Tight finite-key analysis for quantum cryptography. Nat. Commun.
**2012**, 3. [Google Scholar] [CrossRef] - Lo, H.-K.; Chau, H.F.; Ardehali, M. Efficient quantum key distribution scheme and a proof of its unconditional security. J. Cryptol.
**2005**, 18, 133–165. [Google Scholar] - Cai, Q.-Y.; Li, B.-W. Improving the capacity of the Boström-Felbinger protocol. Phys. Rev. A
**2004**, 69, 054301. [Google Scholar] - Bechmann-Pasquinucci, H.; Tittel, W. Quantum cryptography using larger alphabets. Phys. Rev. A
**2000**, 61, 062308. [Google Scholar] - Lo, H.K.; Chau, H.F. Unconditional security of quantum key distribution over arbitrarily long distances. Science
**1999**, 283, 2050–2056. [Google Scholar] - This is referred to as a purification of Alice’s encoding in [5].
- Maassen, H.; Uffink, J.B.M. Generalized Entropic Uncertainty Relations. Phys. Rev. Lett.
**1988**, 60, 1103–1106. [Google Scholar] - Renes, J.M.; Boileau, J.C. Conjectured strong complementary information tradeoff. Phys. Rev. Lett.
**2009**, 103, 020402. [Google Scholar] - Berta, M.; Christandl, M.; Colbeck, R.; Renes, J.M.; Renner, R. The uncertainty principle in the presence of quantum memory. Nat. Phys.
**2010**, 6, 659–662. [Google Scholar] - Coles, P.J.; Yu, L.; Gheorghiu, V.; Griffiths, R.B. Information theoretic treatment of tripartite systems and quantum channels. Phys. Rev. A
**2011**, 83, 062338. [Google Scholar] - Devetak, I.; Winter, A. Distillation of secret key and entanglement from quantum states. Proc. R. Soc. A
**2005**, 461, 207–235. [Google Scholar] - Tomamichel, M.; Renner, R. Uncertainty relation for smooth entropies. Phys. Rev. Lett.
**2011**, 106, 110506. [Google Scholar] - Tomamichel, M.; Colbeck, R.; Renner, R. Duality between smooth min- and max-entropies. IEEE Trans. Inf. Theory.
**2010**, 56, 4674–4681. [Google Scholar] - According to a distance that is based on the same notion of purified distance, for the classical register X arising from POVM $\mathbb{X}$ on B, given quantum side information E [31].
- The results should coincide with Alice’s measurement in CM when their bases coincide.
- A similar case for correlations between errors in the forward and backward path in CM was studied in [32].
- While for LM05 only a single qubit travels to and fro between the communicating parties, the case for SDC makes use of entangled pairs. Thus M(n, k) for SDC must be understood as number of qubit pairs.
- It is possible to consider a more practical scenario, for example for a bit string with error rate e, a cofactor would be multiplied to the amount bits needed for such a purpose given by h
_{2}(e). - Tomamichel, M.; Schaffner, C.; Smith, A.; Renner, R. Leftover Hashing Against Quantum Side Information. IEEE Trans. Inf. Theory.
**2011**, 57, 5524–5535. [Google Scholar] - Cabello, A. Efficient Quantum Cryptography. Rec. Res. Dev. Phys.
**2001**, 2, 249–257. [Google Scholar] - Pirandola, S.; Mancini, S.; Lloyd, S.; Braunstein, S.L. Continuous-variable quantum cryptography using two-way quantum communication. Nat. Phys.
**2008**, 4, 726–730. [Google Scholar] - An ideal error correction efficiency is considered for convenience; which is also the case for LM05 in the ensuing subsection.
- Tomamichel, M. A Framework for Non-Asymptotic Quantum Information Theory. Ph.D. Thesis, Dissertation ETH No. 20213, ETH Zurich, Zurich, Switzerland.
- Shaari, J.S.; Lucamarini, M.; Mancini, S. Checking noise correlations for safer two-way quantum key distribution. Quantum. Inf. Process.
**2014**, 13, 1139–1153. [Google Scholar]

**Figure 1.**Schematic diagram for SDC. Arrows represent the distribution of qubits in the channels between Alice and Bob. The arrows in Bob’s and Alice’s stations both see branchings with probability c or 1 − c for EM or CM respectively.

**Figure 2.**Schematic diagram for LM05. Arrows represent the distribution of qubits in the channels between Alice and Bob. Note that the arrow in Alice’s station branches off with probability c or 1 − c for EM or CM respectively.

**Figure 3.**Efficiency for Asymmetrical BB84 (blue), LM05 (red) and SDC (green) against error rate q/2 given independent channels for total qubit used as M = 10

^{4}.

**Figure 4.**Efficiency for Asymmetrical BB84 (blue), LM05 (red) and SDC (green) against error rate q/2 given independent channels for total qubit used as M = 10

^{7}.

**Figure 5.**Efficiency for Asymmetrical BB84 (blue), LM05 (red) and SDC (green) against total qubit used, M (for SDC, it is to be understood as total pairs used) for error rate 0.01. The horizontal dashed lines represents the infinite key regime.

**Figure 6.**Efficiency for Asymmetrical BB84 (blue), LM05 (red) and SDC (green) against error rate q/2 given independent channels in the infinite key limit

**Figure 7.**Efficiency for Asymmetrical BB84 (blue), LM05 (red) and SDC (green) against error rate q/2 for total qubit used as M = 10

^{4}for correlated channels specified by e

_{1}= e

_{2}= e

_{m}.

**Figure 8.**Efficiency for Asymmetrical BB84 (blue), LM05 (red) and SDC (green) against error rate q/2 for total qubit used as M = 10

^{7}for correlated channels specified by e

_{1}= e

_{2}= e

_{m}.

**Figure 9.**Efficiency for Asymmetrical BB84 (blue), LM05 (red) and SDC (green) against total qubit used, M (for SDC, it is to be understood as total pairs used) for error rate 0.01 for correlated channels specified by e

_{1}= e

_{2}= e

_{m}. The horizontal dashed lines represents the infinite key regime.

**Figure 10.**Efficiency for Asymmetrical BB84, LM05 (both black) and SDC (green) against error rate q/2 for correlated channels specified by e

_{1}= e

_{2}= e

_{m}in the infinite key limit.

© 2015 by the authors; licensee MDPI, Basel, Switzerland This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Shaari, J.S.; Mancini, S.
Finite Key Size Analysis of Two-Way Quantum Cryptography. *Entropy* **2015**, *17*, 2723-2740.
https://doi.org/10.3390/e17052723

**AMA Style**

Shaari JS, Mancini S.
Finite Key Size Analysis of Two-Way Quantum Cryptography. *Entropy*. 2015; 17(5):2723-2740.
https://doi.org/10.3390/e17052723

**Chicago/Turabian Style**

Shaari, Jesni Shamsul, and Stefano Mancini.
2015. "Finite Key Size Analysis of Two-Way Quantum Cryptography" *Entropy* 17, no. 5: 2723-2740.
https://doi.org/10.3390/e17052723